RT2626: Change default_bits from 1K to 2K This is a more comprehensive fix. It changes all keygen apps to use 2K keys. It also changes the default to use SHA256 not SHA1. This is from Kurt's upstream Debian changes. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
diff --git a/apps/dhparam.c b/apps/dhparam.c index f5d7126..606365e 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c
@@ -130,7 +130,7 @@ #undef PROG #define PROG dhparam_main -#define DEFBITS 512 +#define DEFBITS 2048 /* -inform arg - input format - default PEM (DER or PEM) * -outform arg - output format - default PEM @@ -253,7 +253,7 @@ BIO_printf(bio_err," -C Output C code\n"); BIO_printf(bio_err," -2 generate parameters using 2 as the generator value\n"); BIO_printf(bio_err," -5 generate parameters using 5 as the generator value\n"); - BIO_printf(bio_err," numbits number of bits in to generate (default 512)\n"); + BIO_printf(bio_err," numbits number of bits in to generate (default 2048)\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif
diff --git a/apps/gendh.c b/apps/gendh.c index 4ec776b..8df8c62 100644 --- a/apps/gendh.c +++ b/apps/gendh.c
@@ -78,7 +78,7 @@ #include <openssl/x509.h> #include <openssl/pem.h> -#define DEFBITS 512 +#define DEFBITS 2048 #undef PROG #define PROG gendh_main
diff --git a/apps/genrsa.c b/apps/genrsa.c index 94cb613..6b835c0 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c
@@ -78,7 +78,7 @@ #include <openssl/pem.h> #include <openssl/rand.h> -#define DEFBITS 1024 +#define DEFBITS 2048 #undef PROG #define PROG genrsa_main
diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 514e640..41c2a37 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf
@@ -103,7 +103,7 @@ #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 50273b0..61a1b01 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c
@@ -643,7 +643,7 @@ #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 2; default:
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index a149bf6..62ea5a9 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c
@@ -649,7 +649,7 @@ #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 2; default:
diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c index 3d998e9..ff937ca 100644 --- a/crypto/hmac/hm_ameth.c +++ b/crypto/hmac/hm_ameth.c
@@ -89,7 +89,7 @@ switch (op) { case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 1; default:
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index c6e083f..419a5d4 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c
@@ -460,7 +460,7 @@ #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 1; default: